• Mark Rutland's avatar
    arm64: fix strlen() with CONFIG_KASAN_HW_TAGS · 5f34b1eb
    Mark Rutland authored
    When the kernel is built with CONFIG_KASAN_HW_TAGS and the CPU supports
    MTE, memory accesses are checked at 16-byte granularity, and
    out-of-bounds accesses can result in tag check faults. Our current
    implementation of strlen() makes unaligned 16-byte accesses (within a
    naturally aligned 4096-byte window), and can trigger tag check faults.
    
    This can be seen at boot time, e.g.
    
    | BUG: KASAN: invalid-access in __pi_strlen+0x14/0x150
    | Read at addr f4ff0000c0028300 by task swapper/0/0
    | Pointer tag: [f4], memory tag: [fe]
    |
    | CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.13.0-09550-g03c2813535a2-dirty #20
    | Hardware name: linux,dummy-virt (DT)
    | Call trace:
    |  dump_backtrace+0x0/0x1b0
    |  show_stack+0x1c/0x30
    |  dump_stack_lvl+0x68/0x84
    |  print_address_description+0x7c/0x2b4
    |  kasan_report+0x138/0x38c
    |  __do_kernel_fault+0x190/0x1c4
    |  do_tag_check_fault+0x78/0x90
    |  do_mem_abort+0x44/0xb4
    |  el1_abort+0x40/0x60
    |  el1h_64_sync_handler+0xb0/0xd0
    |  el1h_64_sync+0x78/0x7c
    |  __pi_strlen+0x14/0x150
    |  __register_sysctl_table+0x7c4/0x890
    |  register_leaf_sysctl_tables+0x1a4/0x210
    |  register_leaf_sysctl_tables+0xc8/0x210
    |  __register_sysctl_paths+0x22c/0x290
    |  register_sysctl_table+0x2c/0x40
    |  sysctl_init+0x20/0x30
    |  proc_sys_init+0x3c/0x48
    |  proc_root_init+0x80/0x9c
    |  start_kernel+0x640/0x69c
    |  __primary_switched+0xc0/0xc8
    
    To fix this, we can reduce the (strlen-internal) MIN_PAGE_SIZE to 16
    bytes when CONFIG_KASAN_HW_TAGS is selected. This will cause strlen() to
    align the base pointer downwards to a 16-byte boundary, and to discard
    the additional prefix bytes without counting them. All subsequent
    accesses will be 16-byte aligned 16-byte LDPs. While the comments say
    the body of the loop will access 32 bytes, this is performed as two
    16-byte acceses, with the second made only if the first did not
    encounter a NUL byte, so the body of the loop will not over-read across
    a 16-byte boundary.
    
    No other string routines are affected. The other str*() routines will
    not make any access which straddles a 16-byte boundary, and the mem*()
    routines will only make acceses which straddle a 16-byte boundary when
    which is entirely within the bounds of the relevant base and size
    arguments.
    
    Fixes: 325a1de8
    
     ("arm64: Import updated version of Cortex Strings' strlen")
    Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
    Cc: Alexander Potapenko <glider@google.com
    Cc: Andrey Konovalov <andreyknvl@gmail.com>
    Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Cc: Marco Elver <elver@google.com>
    Cc: Robin Murphy <robin.murphy@arm.com>
    Cc: Will Deacon <will@kernel.org>
    Reviewed-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
    Reviewed-by: default avatarRobin Murphy <robin.murphy@arm.com>
    Link: https://lore.kernel.org/r/20210712090043.20847-1-mark.rutland@arm.com
    
    Signed-off-by: default avatarWill Deacon <will@kernel.org>
    5f34b1eb
strlen.S 6.17 KB